Abuse of DLL Search Order Hijacking by Naikon and BackdoorDiplomacy

Cisco Talos has identified an ongoing campaign targeting the telecommunications and manufacturing sectors in Central and South Asian countries. Based on our analysis of collected evidence, we assess with medium confidence that this campaign can be attributed to Naikon, an active Chinese-speaking threat actor that has been operating since 2010.

Similarities between RainyDay, Turian and PlugX variants

During our investigation and hunting efforts for RainyDay backdoors, Talos uncovered two significant findings. First, we found that several instances of the Turian backdoor and newly identified variants of the PlugX backdoor were abusing the same legitimate Mobile Popup Application as RainyDay to load themselves into memory.

Second, we observed that the three malware families leverage loaders which not only have a similar XOR decryption function but also use the same RC4 key to decrypt the encrypted payload. This finding enables us to make assessments regarding attribution.

Naikon and BackdoorDiplomacy: A Shared Threat Actor?

Naikon is a well-known Chinese-speaking cyber espionage group that has been active since at least 2010. This threat group has primarily targeted government, military, and civil organizations across Southeast Asia. Naikon employs a variety of backdoors, including Aira-body, Nebulae and RainyDay.

BackdoorDiplomacy is another malware family that shares similarities with RainyDay. While the exact attribution to Naikon is unclear, our analysis suggests that there may be a connection between these two threat actors.

The Customized PlugX Variant

Talos has high confidence that the PlugX variant observed in this campaign is a customized version of BackDoor.PlugX.38. This anomaly strongly suggests that the threat actors likely have access to the original source code of PlugX, enabling them to modify it in this manner.

The customized variant introduces additional encryption techniques and modifications to the keylogger functionality, indicating a high level of sophistication from the threat actor.

Potential Vulnerabilities and Mitigation

Cisco Secure Endpoint is ideally suited to prevent the execution of this malware. Try Secure Endpoint for free here. Cisco Secure Email can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. Cisco Secure Network/Cloud Analytics analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics identifies malicious binaries and builds protection into all Cisco Secure products. Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Cisco Secure Web Appliance automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.